I found buffer overflow at at45db module. Error was in chunk length calculation. Patch is attached.
Chip AT45DB041D: reading, writing and erasing operations works correctly.
Best regards, Alexander Irenkov
On Sat, 01 Feb 2014 11:56:22 +0600 degener_trash@mail.ru wrote:
I found buffer overflow at at45db module. Error was in chunk length calculation. Patch is attached.
Chip AT45DB041D: reading, writing and erasing operations works correctly.
Best regards, Alexander Irenkov
Yes, you are right, Alexander, thank you. I think the error was introduced by some refactorings or rebasing the original patch. I think my original code looked a bit different/simpler than Alexander's. I have attached my version of a patch to fix this.
Now I am interested if this version fixes the problem The Raven was seeing only on erase, even with your patch applied.
The Raven: If this does not fix the erase issue then please add ' -g' to the CFLAGS in the makefile, recompile flashrom completely (make -B or make clean + make), and run an erase within gdb with 'spew' debug level:
$ gdb --args ./flashrom -VVV -E -p ... […] (gdb) r Starting program: […] […] Segfault detected […] (gdb) bt <Backtrace output> (gdb) q $
Please send me the flashrom log and the backtrace obtained from GDB.
Hi and THX for your patch! :-) Tested again with newest flashrom (r1790), AT45DB021D and your patch: Read and erase works (see the attached log (only for erase, if you need a read log, tell me)). But write is not working (see log). The strange thing is: First write command works. But the dumped file, or let's say the flash, was only 3/4 (or less) full of data. So i fill it up with dummy data (hex-editor) to write the whole flash. After that write doesn't work anymore. But erase still works.
I have only applied the second patch. Is this wrong? Do i need both patches?
I have AT45DB011B, AT45DB011D, AT45DB021D and AT45DB161D to test drive.
Greetings and thx
Raven
PS: Sorry for my bad english.
On Sat, 10 May 2014 12:53:06 +0200 The Raven originalraven@hotmail.com wrote:
Hi and THX for your patch! :-) Tested again with newest flashrom (r1790), AT45DB021D and your patch: Read and erase works (see the attached log (only for erase, if you need a read log, tell me)). But write is not working (see log). The strange thing is: First write command works. But the dumped file, or let's say the flash, was only 3/4 (or less) full of data. So i fill it up with dummy data (hex-editor) to write the whole flash. After that write doesn't work anymore. But erase still works.
I have only applied the second patch. Is this wrong? Do i need both patches?
No, mine intends to fix the same thing as Alexander's. You only need one/mine.
I have AT45DB011B, AT45DB011D, AT45DB021D and AT45DB161D to test drive.
Thanks a lot for testing. This is a bit odd. Maybe there is another bug somewhere, e.g. in the definition of AT45DB021D. Please create all logs with the -o option of flashrom in the future. This guarantees correct order of messages (which is wrong in the write log you sent).
Can you please do another write (best would be fresh random data easily created with dd) but with '-VVV -o AT45DB021D-write-VVV.log'? It might be useful to know the exact data too, so please upload the following images to http://paste.flashrom.org too. - The random image supplied to -w - The image read after writing produced by -r
I would also like to know if another chip works with the patch now, but that's not so important. I have a AT45DB041D myself and will try on that too in the next days. I need to set up my equipment first though.
PS: Sorry for my bad english.
Perfectly understandable and not embarrassing at all, really.
Am 10.05.2014 14:00, schrieb Stefan Tauner:
Thanks a lot for testing. This is a bit odd. Maybe there is another bug somewhere, e.g. in the definition of AT45DB021D. Please create all logs with the -o option of flashrom in the future. This guarantees correct order of messages (which is wrong in the write log you sent).
Can you please do another write (best would be fresh random data easily created with dd) but with '-VVV -o AT45DB021D-write-VVV.log'? It might be useful to know the exact data too, so please upload the following images to http://paste.flashrom.org too.
- The random image supplied to -w
- The image read after writing produced by -r
Done. VVV-Log is attached. Random-Test-File: http://paste.flashrom.org/view.php?id=2599 Readed-File after Flash: http://paste.flashrom.org/view.php?id=2600
The readed file is empty! Uh! :-o Has only FF and 00 inside.
I would also like to know if another chip works with the patch now, but that's not so important. I have a AT45DB041D myself and will try on that too in the next days. I need to set up my equipment first though.
Unfortunately i can not find my AT45DB011D and test with this chip. :-( But i search him and if i found him i made the same tests and compare.
-
degener_trash@mail.ru -
Stefan Tauner -
The Raven